[tor-relays] lets stop using central big DNS resolvers (Google, Level3, OpenDNS, Quad9, Cloudflare)
Nathaniel Suchy (Lunorian)
me at lunorian.is
Fri May 11 11:55:31 UTC 2018
I’m quite worried about the number of relays using Google DNS. With Google DNS, Google gets to know a Tor exit proxied X website at X time. I don’t think they can be trusted with this information.
As for privacy concerns: Google claims these logs are only stored for up to 48 hours. It worries me that the information could be demanded by the FISA Courts (Google would have to comply by law) and three letter agencies would get access to Tor user’s browsing habits. I know the same could happen with any DNS resolver although due to the size of Google Public DNS the logs are a goldmine.
I have the same, if not worse concerns with Cloudflare’s Public DNS (188.8.131.52).
Now I have the burden of providing an alternative, it’s only fair I do so after criticism of the use of Google DNS. My first thought is to use ISP DNS if it’s available - one of the best things about Tor is the split of trust so why aren’t we doing that with DNS? Another alternative is to use trusted recursive DNSCrypt Resolvers (for example dnscrypt.ca - there are plenty of resolvers like this so use a search engine of your choice to find them). I actually really like the idea of using DNSCrypt resolvers opposed to commercial DNS provided by ISPs. Thoughts?
Thanks for running Tor Exits
Sent from my iPhone
> On May 11, 2018, at 4:15 AM, nusenu <nusenu-lists at riseup.net> wrote:
> Tyler Durden:
>> All our nodes are using a local DNS caching server and only use google
>> as a fallback.
>> The situation is very unlikely to change unless there is a major player
>> on "our side" which offers a free, censorship-free, resilient and stable
>> DNS Service.
> can you describe your (hard) resolver requirements so we can try
> to find Google alternatives for you?
> thank you for running exits!
> twitter: @nusenu_
> tor-relays mailing list
> tor-relays at lists.torproject.org
More information about the tor-relays